Of the two worms, known as Mywife and Snapper, the former appears to be the more worrisome and have the greater potential for spreading widely, security services said. Mywife arrives in an e-mail with a spoofed sending address and any one of several vaguely pornographic subject lines, including, "very hot XXX" and "FW:RE: Hot Erotic." The body of the e-mail also varies and some of the messages are quite graphic.
The e-mail contains two attachments, one of which is simply a graphic file that displays a fake Norton AntiVirus 2004 logo, supposedly certifying that the other attachment is virus-free. The second attached file is compressed and can have any one of several names, including: Aprilgoostree, Parishilton, Rickymartin or a handful of profanities. The compressed file contains a third file with either an .exe or .scr extension, according to an analysis of the worm done by Panda Software Inc.
A second version of the virus-infected e-mail carries a fake virus warning, purportedly from antivirus vendor Symantec Corp., informing recipients that their machine is infected by the fictitious BlackWorm virus. This version has an attachment named either Scan.tge or Scan.zip.
The Mywife code also contains a jab at Microsoft Corp., although it is never displayed on the users screen: "microsoft do u hear me? we gon kick u ass an *** u down u got my word **Black Worm**."
Once resident on a computer, Mywife goes to work removing the Windows registry entries for a variety of antivirus and security applications.
The Snapper worm is quite different from Mywife, and in fact resembles the last few variants of the Bagle virus that showed up last week. Instead of relying on the user to open an infected attachment, Snapper sends blank e-mails with spoofed sending addresses that contain code that automatically executes once the message is opened or viewed in the preview pane in Outlook. The code causes the local host computer to connect to a remote Web server located at 198.170.245.129 and try to download a file called HTMLhelp.cgi.
Like Bagle.Q and subsequent variants, Snapper exploits the object tag vulnerability in Internet Explorer to force the infected machine to download the file. That file then runs a piece of VB Script code that creates and executes a DLL in the Windows directory. The DLL, called IEload.dll, is 8,704 bytes in size.
Snapper then sends itself to all of the addresses in the users address book. However, the CGI file is not available on the remote Web server, making it unlikely that Snapper will spread very far, according to Network Associates Inc.s McAfee Security unit.
Network Associates, based in Santa Clara, Calif., listed both Snapper and Mywife as low threats.
Research Assistant
